| Of course I could be barking up a well worn tree. In that case I'd like to | see what work has been done in this area. I'm sure people will disagree with me on this. But I think that by submitting passwords found in the wild that are not dictionary words, other than those that are fairly standard guessable passwords (nouns, in phrases "aybabtu, ph34r, etc", l33tspeak "p455w0rd"), you will just end up in manually creating a list of the full range of passwords that you would get by just running: john -i:all -stdout Wordlists are good, but the idea is to put the most common words in there so that these can be tried first, before your brute forcer goes and tries all number/letter/punctuation combinations. So essentially it does do the monkeys with typewriters thing without you needing to list the words. I would say that a wordlist should be restricted to dictionary words, nouns, really common passwords, etc then using something like John you can get all those permutations that you want. Infact taking john as an example again, I think that their algorithm even does it's permutations in a specific order to auto-generate the combinations found in the wild most frequently first (but don't quote me on that ;P). Anyway, enough of my babble ;) Lee -- Lee Brotherston - IP Security Manager, Easynet Ltd http://www.easynet.net/ Phone: +44 20 7900 4444 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Mar 15 2002 - 10:46:47 PST